PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55205 nesquena CVE debrief

CVE-2026-55205 is a medium-severity vulnerability in Hermes WebUI before 0.51.468. It allows for resource exhaustion through an unauthenticated POST /api/onboarding/oauth/start endpoint, enabling attackers to cause server memory and thread resource exhaustion. This can be achieved by sending repeated or concurrent requests, potentially triggering outbound device-code requests to upstream OAuth providers. The vulnerability has a CVSS score of 6.9 and is considered medium severity. Users of affected Hermes WebUI versions should update to 0.51.468 or later to mitigate this vulnerability.

Vendor
nesquena
Product
hermes-webui
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

Administrators and users of Hermes WebUI versions before 0.51.468 should be aware of this vulnerability and take necessary actions to update their installations. Security teams should prioritize patching this vulnerability to prevent potential resource exhaustion attacks.

Technical summary

The vulnerability exists in the unauthenticated POST /api/onboarding/oauth/start endpoint of Hermes WebUI before 0.51.468. This endpoint allows for unbounded accumulation of in-memory flow state and daemon threads. Attackers can exploit this by sending repeated or concurrent requests, leading to server memory and thread resource exhaustion. The vulnerability is tracked as CVE-2026-55205 and has been addressed in version 0.51.468 of Hermes WebUI.

Defensive priority

High

Recommended defensive actions

  • Update Hermes WebUI to version 0.51.468 or later
  • Restrict access to the /api/onboarding/oauth/start endpoint
  • Implement rate limiting on incoming requests to the endpoint
  • Monitor server resources for unusual patterns
  • Consider implementing additional security measures such as IP blocking or traffic filtering

Evidence notes

The vulnerability was reported by Vulncheck and is publicly disclosed. The CVE record and NVD details are available. References to the vulnerability include GitHub commits and pull requests related to the fix.

Official resources

public